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DETAILED ACTION 

1 . Claims 1 -42 have been rejected. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-4, 11, 14, 18-21, 28, 31, and 35-36 are rejected under 35 U.S.C. 103(a) as being 
obvious over Patarin U.S. Pat. No. 61 1 1952 (hereinafter Patarin) in view of Shamir U.S. Pat. No. 
5375170 (hereinafter Shamir). 

The applied reference has a common inventor with the instant application. Based upon 
the earlier effective U.S. filing date of the reference, it constitutes prior art only under 35 U.S.C. 
102(e). This rejection under 35 U.S.C. 103(a) might be overcome by: (1) a showing under 37 
CFR 1.132 that any invention disclosed but not claimed in the reference was derived from the 
inventor of this application and is thus not an invention "by another"; (2) a showing of a date of 
invention for the claimed subject matter of the application which corresponds to subject matter 
disclosed but not claimed in the reference, prior to the effective U.S. filing date of the reference 
under 37 CFR 1.131; or (3) an oath or declaration under 37 CFR 1.130 stating that the 
application and reference are currently owned by the same party and that the inventor named in 
the application is the prior inventor under 35 U.S.C. 104, together with a terminal disclaimer in 
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accordance with 37 CFR 1.321(c). For applications filed on or after November 29, 1999, this 
rejection might also be overcome by showing that the subject matter of the reference and the 
claimed invention were, at the time the invention was made, owned by the same person or 
subject to an obligation of assignment to the same person. See MPEP § 706.02(1)(1) and § 
706.02(1)(2). The prior art by the inventors show limitations disclosed in this application. 

As per claim 1, 18, 35 and 36, Patarin discloses a digital signature cryptographic method 
comprising: supplying a set SI of k polynomial functions as a public-key (Patarin: column 3 
lines 47-48), the set SI including the functions Pi(xi 3 . . .,x n + v , yi> . . yk) 9 . • •> Pk(xi ? . . .,x n+v , 
yi,. . .,yic), where k, v, and n are integers, xi,. . . 9 x n + v are n+v variables of a first type, yi ? . . .,yk are k 
variables of a second type, and the set S 1 is obtained by applying a secret key operation on a set 
S2 of k polynomial functions P' i (a n+v , . . . ,a n + v , yi , - ■ • , Yk), . . . , P'k(ai , . . . ? a n+v , yi , . . - ,y0 where ai , . . . , 
a n + v are n+v variables which include a set of n "oil" variables Al 5 . . .,An, and a set of v "vinegar" 
variables a n +i ? . . .,a n + v (Patarin: column 2 line 27 - column 3 line 21) ; applying a hash function on 
the message to produce a series of k values bi,. . ,,bk; substituting the series of k values bi,. . .,bk 
for the variables yi,...yk of the set S2 respectively to produce a set S3 of k polynomial functions 
P"i(ai,...,a n + V ) 5 ... 5 P"(ai,...,a n+V ); selecting v values a'n+i ? ...a' n +vfor the v "vinegar" variables 
a n+ i,. . .an+v (Patarin: column 3 lines 49-54) ; solving a set of equations P"i(ai,. . .,a n , a' n +i,. . . 3 a' n + v ) 
=0 V .. 9 P"k(ai,-.. 3 a n , aVi,...,a'n+ v ) = 0 to obtain a solution for a' i,...,a' n (Patarin: column 3 line 
44-60). Patarin does not explicitly teach the method of providing a message to be signed and 
applying a hash function on the message to produce a series of k values bi,. . bk and applying 
the secret key operation to transform a'i,. . .,a' n+v to a digital signature ei,. . . 5 e n + v • However, 
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Shamir discloses that limitation (Shamir: column 3 line 63 - column 4 line 5: provide the 
message and apply hash function; column 4 line 1-5: use the knowledge of the secret function to 
compute a signature). It would have been obvious to one having ordinary skill in the art to 
combine the teachings of Shamir within the system of Patarin because it is well known in the art 
to use hash function to mixed and encrypt the data and transform it into digital signature. 

As per claim 2 and 19, the combination of Patarin-Shamir discloses a method according 
to claim 1 . Patarin further discloses the method comprising the step of verifying the digital 
signature (Patarin: column 4 lines 1-6). 

As per claim 3, 14, 20, and 31, the combination of Patarin-Shamir discloses a method 
according to claim 1 . Patarin further discloses a method according to claim 2 and wherein said 
verifying step comprises: verifying that the equations Pi(ei ; ...,e n + V , bi, bk)=0 5 ..., 
P k (ei,...,e n + V , bi, b k )=0 are satisfied (Patarin: column 3 line 62 - column 4 line 6). Patarin 
does not explicitly disclose the method comprises obtaining the signature ei,. . .,en+v, the message, 
the hash function and the public key; applying the hash function on the message to produce the 
series of k values bi,. . .,b k . However, Shamir further discloses these limitations (Shamir: column 
4 lines 6-15: vi constitutes as the bi while h is the hash function and fi is the public key). It would 
have been obvious to one having ordinary skill in the art to combine the teachings of Shamir 
within the system of Patarin because it is required by the verifier to obtain certain parameters 
before being able to verify the signature. 

As per claim 4 and 21, the combination of Patarin-Shamir discloses a method according 
to claim 1. Patarin further discloses the set S2 comprises the set f(a) of k polynomial functions of 
the HFEV scheme (Patarin: column 3 lines 16-22). 
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As per claim 1 1 and 28, the combination of Patarin-Shamir discloses a method according 
to claim 1 . Patarin further discloses said secret key operation comprises a secret affine 
transformation s on the n+v variables ai,...,a n + v (Patarin: column 3 lines 8-25). 

4. Claims 5-6, 8, 15, 22, 23, 25, and 32 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Patarin in view of Shamir as applied to claim 1 above, and further in view of 
Shamir et al 'Cryptanalysis of the Oil and Vinegar Signature Scheme' (hereinafter Shamir2). 

As per claim 5 and 22, the combination of Patarin-Shamir discloses a method according 
to claim 1. Patarin-Shamir does not explicitly disclose the set S2 comprises the set S of k 
polynomial functions of the UOV scheme. However, Shamir2 discloses that limitation (Shamir2: 
page259). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Patarin, Shamir, and Shamir2 because polynomial functions of different scheme can 
be interchangeably used to improve the security of the signature. 

As per claim 6, 15, 23, and 32, the combination of Patarin-Shamir discloses a method 
according to claim 1. Patarin-Shamir does not explicitly disclose said supplying step comprises 
the step of selecting the number v of "vinegar" variables to be greater than the number n of "oil" 
variables. However, Shamir2 discloses that limitation (Shamir2: page 266: need to modify 
definition of oil and vinegar domains). It would have been obvious to one having ordinary skill 
in the art to combine the teachings of Patarin, Shamir, and Shamir2 because different number of 
variables makes it not as clearly distinguishable from the quadratic terms in the published forms 
thus makes it harder to attack. 
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As per claim 8 and 25, the combination of Patarin-Shamir discloses a method according 
to claim 1. Patarin further discloses said supplying step comprises the step of obtaining the set SI 
from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by 
that all coefficient of components involving any of the yi,. . . 5 yk variables in the k polynomial 
functions P'i(a n +v 5 ...,a n+ v, yu Yk),..-, P'k(ai,...,a n+V , yi,...,yk) are zero (Patarin: column 3 lines 
5-54). Patarin-Shamir does not explicitly disclose the number v of "vinegar" variables is greater 
than the number of "oil" variables. However, Shamir2 discloses that limitation (Shamir2: page 
266). Same rationale applies here as above in rejecting claim 6. 

5. Claims 7, 9, 10, 16-17, 24, 26-27, and 33-34 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Patarin in view of Shamir as applied to claim 1 above, and further in view of 
Patarin U.S. Pat. No. 5790675 (hereinafter Patarin2). 

As per claim 7 and 24, the combination of Patarin-Shamir discloses a method according 
to claim 1. Patarin further discloses v is selected such that q v , where q is the number of elements 
of a finite field K (Patarin: column 3 lines 5-22: q is the number of element of K while n is the 
number of variables which is equal to message or n=m). Patarin-Shamir does not explicitly 
disclose q v is greater than 2 32 . However, Patarin2 discloses that limitation (Patarin2: column 7 
lines 45-50: 32 bits is equal to 2 32 ). It would have been obvious to one having ordinary skill in 
the art to combine the teachings of Patarin, Shamir, and Patarin2 because it ensures maximum 
security and prevent exhaustive search attack. 

As per claim 9, 10, 16, 17, 26, 27, 33, and 34, the combination of Patarin-Shamir 
discloses a method according to claim 8. Patarin further discloses the set S2 comprises the set S 
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of k polynomial functions of the UOV scheme, and the number v of "vinegar" variables is 
selected so as to satisfy one of the following conditions (Patarin: column 3 lines 5-22: q is the 
number of element of K while n is the number of variables which is equal to message or n=m). 
Patarin does not explicitly disclose the conditions. However, Patarin2 discloses the limitation (a) 
for each characteristic p other than 2 of a field K in an "Oil and Vinegar" scheme of degree 2, v 
satisfies the inequality q^'^n 4 > 2 40 (Patarin2: column 7 lines 45-50: 32 bits and preferably at 
64 bits). It would have been obvious to combine the teachings of Patarin, Shamir, and Patarin2 
because there exists a bound to ensure the minimum level of security and it does not have to be a 
specific number. 

6. Claims 12-13, and 29-30 are rejected under 35 U.S.C. 103(a) as being obvious over 
Patarin in view of Shamir, and further in view of Patarin 'Hidden Fields Equations (HFE) and 
Isomorphisms of Polynomials (IP): Two Families of Asymmetric Algorithms' (hereinafter 
Patarin3). 

As per claim 12 and 29, the combination of Patarin-Shamir discloses a method according 
to claim 4. Patarin does not explicitly disclose said set S2 comprises an expression including k 
functions that are derived from a univariate polynomial. However, Patarin3 discloses that 
limitation (Patarin3: page 34: preliminaries). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Patarin, Shamir, and Patarin3 because the univariate 
polynomial is isomorphic to a finite field. 

As per claim 13 and 30, the combination of Patarin-Shamir-Patarin3 discloses a method 
according to claim 12. Patarin3 further disclose univariate polynomial includes a univariate 
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polynomial of degree n. Same rationale applies here as above in rejecting claim 12. Patarin3 does 
not explicitly disclose the degree is less than or equal to 100,000. However, Patarin further 
disclose that limitation (Patarin: column 6 lines 17-35: let d<=9000). 

7. Claims 37-42 are rejected under 35 U.S.C. 103(a) as being unpatentable over Patarin in 
view of Shamir and further in view of Applicant's Admitted Prior Art (hereinafter AAPA) and 
further in view of Shamir2. 

As per claim 37 and 40, the combination of Patarin-Shamir discloses the method 
according to claim 1. Patarin-Shamir further discloses coefficients of components involving 
multiplication of two or more of the n"oil" variables ai,. . .,a n in the k polynomial functions 
P' i (ai , . . . ,a n+v , yi , . . . ? yk), . . • , P'k(ai , . . . ,a n+v , yi , • . . ,yk ) are zero (Patarin: column 3 line 44-60). 
Patarin-Shamir does not explicitly disclose said subset S2' being characterized in that all 
coefficients of components involving orders higher than 1 of any of the n "oil" variables ai,. . .,a n 
and the number. However, AAPA discloses that limitation (AAPA: page 2-3: the (S) equations 
are n equations of degree one in the ai variables when the a'i variables are fixed). Therefore, it 
would have been obvious to one having ordinary skill in the art to combine the teachings of 
Patarin, Shamir, and AAPA because different orders of variables makes it not as clearly 
distinguishable from the quadratic terms in the published forms thus makes it harder to attack. 
The combination of Patarin-Shamir- AAPA does not explicitly disclose the number v of 
"vinegar" variables is greater than the number n of "oil" variables. However, Shamir2 discloses 
that limitation (Shamir2: page 266: need to modify definition of oil and vinegar domains). Same 
rationale applies here as above in rejecting claim 6. 
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As per claim 38 and 41, the combination of Patarin-Shamir-AAPA-Shamir2 discloses the 
method according to claim 37. Patarin further discloses the set S2 comprises the set S of k 
polynomial functions of the UOV scheme, and the number v of "vinegar" variables is selected so 
as to satisfy one of the following conditions (Patarin: column 3 lines 5-22: q is the number of 
element of K while n is the number of variables which is equal to message or n=m). Patarin does 
not explicitly disclose the conditions. However, Patarin2 discloses the limitation (a) for each 
characteristic p other than 2 of a field K in an "Oil and Vinegar" scheme of degree 2, v satisfies 
the inequality q { ™ >l *n 4 > 2 40 (Patarin2: column 7 lines 45-50: 32 bits and preferably at 64 bits). 
It would have been obvious to combine the teachings of Patarin, Shamir, and Patarin2 because 
there exists a bound to ensure the minimum level of security and it does not have to be a specific 
number. 

As per claim 39 and 42, the combination of Patarin-Shamir-AAPA-Shamir2 discloses the 
method according to claim 37. Patarin further discloses the set S2 comprises a set S of k 
polynomial functions of a UOV scheme (Patarin: column 3 lines 5-22: q is the number of 
element of K while n is the number of variables which is equal to message or n=m). Patarin2 
further discloses the number v of "vinegar" variables is selected to satisfy the inequalities q (v " n) ' 
**n 4 > 2 40 for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2 where 
K is a finite field over which the sets SI, S2, and S3 are provided and q is the number of 
elements of K (Patarin2: column 7 lines 45-50: 32 bits and preferably at 64 bits). Same rationale 
applies here as above in rejecting claim 38. 
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Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Hoffstein et al. U.S. Pat. No. 6076163 discloses secure user identification based on 
constrained polynomials. 

Smith U.S. Pat. No. 5351298 discloses cryptographic communication method and 
apparatus. 

Patarin's 'Asymmetric Cryptography with a Hidden Monomial'. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shin-Hon Chen whose telephone number is (703) 305-8654. The 
examiner can normally be reached on Monday through Friday 8:00am to 4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (703) 305-9648. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Shin-Hon Chen 
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Asymmetric Cryptography with a 
Hidden Monomial 

and a candidate algorithm for cr 64 bits asymmetric signatures 

Jacques Patarin 

CPS TRANSAC 5 68 route de Versailles - BP 45 
78431 Louveciennes Cedex - France 
e-mail : J. Patarin^frlv. bull.fr 

Abstract 

In [1] T. Matsumoto and H. Imai have presented a very efficient "candidate" algorithm, 
called C* y for asymmetric cryptography. This algoritlun was broken in [2]. Then in [3], 
I have suggested two algorithms, HFE and IP, to repair CV However the secret key 
computations of HFE and IP are not as efficient as in the original algorithm CV Is it 
possible to repair C with the same kind of very easy secret key computations? This 
question is the subject of this paper. Unfortunately, we will see that for all the "easy" 
transformations of C m the answer is no. However one of the new ideas of this paper 
will enable us to suggest a candidate algorithm for assy metric signatures of length only 
G4 bits. An extended version of this paper can he obtained from the author. 

1 Introduction 

In [I] T. Matsumoto and H. Imai have presented a very efficient algorithm C* 
for asymmetric cryptography (authentications, signatures or encryptions) with 
public multivariate quadratic polynomials. This algorithm was based on the idea 
of "hiding" a monomial equation b =J M = by two affinc permutations s 

and t. In [2], I have shown that this original algorithm was insecure. Then in [3], 
I have suggested two new algorithms IIFE and. IP in order to repair C*. HFE use 
more complex hidden functions / (functions / with more than one monomial and 
sometimes also more than one variable a) but the computation of / _1 with the 
secret key is (of course still fcasabie but is) more difficult than in C m . IP is a very 
different algorithm. It- looks like the famous Graph Isomorphisms algorithm. 

Is is possible to repair C and keeping the same kind of easy secret key 
computations? For example with multivariate polynomials of total degree 3 or 
4 in the public form (instead of two) if necessary? This question is the subject 
of this paper. 
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First we wiil describe two new asymmetric "candidate" algorithms: Dragon 
and MIIP-3. These algorithms are very efficient. Then we will see that some 
easier algorithms are insecure. Then wc will extend our attacks to see that 
Dragon with one hiddeu monomial and MIIP-3 are also insecure. 

So it seems that there is not an easy way to "hide" a monomial in order 
to avoid polynomial attacks . . . Nevertheless at the end of this paper, we will 
show that the idea of "Dragon" Algorithms (however with more than one mono- 
mial) gives us a candidate algorithm for extremely short asymmetric signatures. 
Moreover another family of algorithms (not described here) is still under inves- 
tigation. 

PART 1: Description of the hidden monomial schemes 

2 "Dragon" : a new family of algorithms for asym- 
metric cryptography 

The public polynomials of the "Dragon" family 

The first family of algorithms that we will describe is called "Dragon". Before 
going into details, let us start by showing the differences between the public 
polynomials of a scheme like Matsumoto-lmai C* scheme of [1] and the Dragon 
schemes. 

• In Matsumoto-lmai C* scheme (or in my HFE scheme of [3]), the public 
equations are n multivariate polynomials Pi, . . . , P n over a finite field A', 
(n integer), and these polynomials give y\ , . . . , y n as functions of z\ f . . . , x n 
like this: 

yn - P 2 (x } ,. . ,X„) 

i 

h J/n = f'n(Xu • * 

where in encryption (ari , . . . , *„) is the cleartext and (yi , . . . , Vn) the ci- 
phertext (in signature (an,... ,*„) is the signature and (yi,.. . ,*/„) the 
message to sign or a public transformation of the message to sign). More- 
over in C m Algorithm the polynomials Pi, . . . , P n have total degree 2. 

• In the Dragon algorithms that we will describe the public equations arc A 
multivariate polynomials over a field l< (or a ring) like this: 

Pi(jr lt ... , ar«, s/i , - ,.Vm) = 0 
P2(xi ,y m ) = 0 

i 

where Pi,P 2 Pa are polynomials of K n x A' m K of small total 

degree (for example 2, 3 or 4). 
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As before in encryption {xi , . . . , x n ) is the cleartext and (t/i , - - . , y m ) the ci- 
phertext (in signature (xi, . . . , x n ) is the signature and (yi , . . - , y m ) the message 
to sign or a public transformation of the message to sign). 

So the big difference in the public equations between the Dragon algorithms 
and Matsumoto-Fmai algorithms is that we have "mixed" the variables Xi and 

y.- 

First example of Dragon in encryption 

Here A = m = n and /\ is a small finite field. Let ^ = |A'| be the number of 
elements of K. For example K = F 2 = OF (2) the finite field with two elements. 

(xi x n )£ K n is the cleartext. (y, , . . . , y„) 6 K n is the ciphertext. If we 

have the secrets then we can obtain (yi , . . . , y u ) from {x x , . . . , x n ) like this (we 
will see below another way to compute (yi , . . . , y n ) from (x\ , . . . , x n ) without 
any secrets): 

1. x - (xi, . . . ,x n ) is first transformed with an affine secret permutation s, 
so we obtain s(x) = a = (a\ , . . . , a n ). 

2. Then a is transformed in b such that 

</ + "" - M(b) = fl< <+ » < N(6) (1) 

where 0, y?, C. £ are secret or public integers such that h = q e + - ? c - ^ 
is coprime with ? n - 1, q = |/iT| f where the exponentiations are done 
in a representation of the field . and where M and N are two affine 
functions( we will comment the choice of M and N below). 
How do we compute b from a? (We will now give a general way to compute 
b from a but we will see below that there arc sometimes some easier ways). 
If we write the equation (1) in the components (ai , . . . , a n ) and (&i , . . . , 6 n ) 
of a and b (i.e. in a basis of F q ») } we will obtain n equations like this: 

where 7^ and are some coefficients of A*. 

The reason for this is that x x* 7 * and x x 9 * are linear functions of 
Fq* t so x ► x f/#+ ^ in a basis and x x« <+ ** are given by quadratic 
polynomials. 

Now when (<n,... ,a„) is given the n equations (2) give n equations of 
degree 1 in the values 6, . So by Gaussian reduction it is then easy (on a 
computer) to find all the solutions of these equations. We will assume that 
at least one solution b is found such that M{b) ^ 0 or A r (6) ^ 0. (we will 
comment this point at the end of this paragraph). If more than one such 
6 is found, we randomly chose one of the solutions for b. 

3. Finally b - {by , . . . ,6„) is transformed with another affine secret permu- 
tation (, so we obtain t{b) = y = (yj , . . . , y rt ). 



Copyright (c) 1998, Springer-Veriag 



48 



Remark All these operations are invertibles, so it is possible to compute 
(xi,... ,i„) from (vi,... ,y„) if the secrets s,t,0,y> t C,£ and the representa- 
tion of the field F q n arc known. For example if M{b) £ 0 then a will be found 
from b by: 

a = (N(b)/M(b)) h ' where ti is the inverse of h - q 6 -f q* - q c - fl* modulo 



Public computation of (yj, . . . ,y„) from (zi,. . . ,x n ) 

The n equations (2) will be transformed in a system of n equations like this: 



i.e. n equations /*(ri,... ,x n ,y^ ( y 71 ) - 0, i = 1,... ,n, where P, is a 

polynomial of rY 2n -> A', of total degree three. These n equations (3) will be 
public. They are the public key. 

The computation of the n equations (3) from the n equations (2) is done in 
two steps: first wc replace the 6, by their affine expression in yj and the a, by 
their affine expression in x, (Step 1). Then a linear and bijective transformation 
u is done on these equations (Step 2). 

Note 1, This Step 2 transformation ti is secret, or is done in a way to have 
equations (3) with a conventional presentation (for example the equation number 
*> (1 < * < n ) w iH have a term in x^yk and no terms in xix^yj, j # this 
gives a conventional presentation obtained by Gaussian reductions). 

Note 2. We will see in paragraph 4 that the public key length can be moderate 
despite the fact that the public polynomials are of total degree three. With these 
public equations (3) anybody will be able to encrypt a message, i.e. to compute 
(Vi. • • ■ >Vn) from (x t , . . . ,x„) without any secret (this is always feasable if there 
is a value 6 such that (1) is satisfied). 

The reason for this is that when (jfi, ...,*») arc given, the n equations (3) 
give n equations of degree 1 in the values y, . So by Gaussian reduction it is then 
easy to find all the solutions of these equations. 

Remark. What is unusual with this Dragon Algorithms is that although any- 
body can compute (yi,... ,y n ) from (xi : ... ,x n ) nobody can express the x,- 
variables as an effective polynomial in the yj variables (this polynomial exist 
but is too large to be explicit if the parameters are well chosen). What is also 
unusual is the fact that these "Dragon Algorithms" use in a the way the crypt- 
analysis algorithms of [2] (i.e. with Gaussian reduction) in order to design a new 
cryptosystems. 
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The first example of Dragon in signature 

It is easy to use this little Dragon Algorithms for asymmetric signatures. For 
example if (y\ , . . . , y n ) is the message to sign (or a public transformation of 
the message to sign), then (xj,... t x») will be the signature. (The value x 
corresponding to a = 0 may be public in order to avoid this value to be a valid 
signature of any message). 

About the choice of M and /V 

There are different ways to choose M and N . 

Example 1 In this example, M and N arc two secret random affine functions. 
In signature this Dragon Algorithm is very efficient, but in encryption we may 
have no solution in b for equation (I). 

However, the probability is high to find a solution b (if q is not too small). 
(See the extended version for more details). Moreover in the design of the scheme 
we can decide that a few bytes of the message x have no information, and in the 
case we find no y for a specific x, we can change these bytes and try again. 

Example 2 In this example M(b) = 6 and N(b) = pfr 9 ° + ub where a is an 
integer such that q a — 1 is coprime with q n — I and where ft and u are two 
elements of F q ~ with /* ^ 0 (but v = 0 is possible). So the equation (I) is: 

a*'*** - 6 = 0^ (iiW* -hi/6). (4) 

Now for each a = 0 there is exactly only one 6^0 such that (4) is satisfied. 

So this example 2 is an example of candidate trapdoor one way permutation! 
Moreover here the computation ofb from a can be done by square and multiplicity 
(instead of Gaussian reductions). 

Example 3 In this example M(b) = b and N(b) = ab + 1, where a is a secret 
element of F q *, or ^ 0. So the equation (2) gives 

b= l/fa''*-*" 7 * - a). 
So here again wc have a candidate trapdoor one way permutation! 

3 The algorithm MIIP-3 

Wc will now see a second family of algorithms. 
Description of the algorithm 

As usual, let K be a finite field. Let L n be an extension of degree n of A'. Let 
x and y be two elements of L n . In a basis x is represented by (ri,Z2» • • » x n) 
and y by {y\ , . . . y y n ) where Vi. 1 < i < n, x ( - and y, are elements of K. Let s 
and ( be two secret affine functions of A'" — > A' n . The transformation from x to 
y can be obtained by these steps (if the secrets arc known): 
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Step 1 Compute a = s(x). 

Step 2 Compute (in L n ): b = a l+ « ,+ ^ l where v = 1^1 and $ and y? are two 
integers, 1 < 8 < y>, such that A = I 4- q 9 + ? v is coprime with q n - 1. 

Step 3 Finally compute y = f(6). 

In a basis each component of y can be written as a polynomial Pi of total 
degree three in the ij values, 1 < j < n. 

These n polynomials P () 1 < i < n, are made public. So, from these public 
polynomials, anybody can compute y from z (in encryption y is the encryption 
of x, and in signature x is the signature of y). Now if the secrets are known it 
is also easy to compute x from y: each step is easily invertible. But it "seems" 
that if the secrets are not known then r can not be computed for y (we will 
study this point in paragraph 9). 

We call this algorithm MIIP-3: Matsumoto-Imai with Improved Parameters 
of degree 3. Compared with the original Matsumot.o-lmai C m Algorithm [1] we 
have made three important changes: 

1. There is only one branch (i.e. after Step L, the value a is not split in 
several branches as in [1]). The reason for this will be given in paragraph 
5. 

2. The transformation b = f(a) gives polynomials of degree three (and not 
two as in [I]). The reason for this is that the cryptanalysis of transforma- 
tions b — a 1+9# was given in [2]. 

3. The field K is not necessary of characteristic 2. (In [1] the field K was of 
characteristic 2 in order to find some $ such that 1 + q 9 be coprime with 
q n — 1. If q is odd this is not possible). 

Remark It is very easy to find some bad values for 6 and (p. For example if 
q = 2, 6 = 1, and <p = 2, then 

6 = « 7 , so 6 a = a* (5) 

and from this equation (5) it is easy to sec that the scheme can be attacked 
exactly as the original C* scheme in [2], However for almost all the choices of 6 
and tp the attack of [2] does not work against MIIP-3. 

Equations (Gl), (G2), (G3) 

Since b = these three general equations (Gl), (G2), ((73) are always 

satisfied: 

(Gl) «'+»" V =6-a« # <» ,+ *" ) 

(G2) a ,+ «' =6 +, '> 
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Note, in a basis (Gl), (G2), (G3) give 3n equations. Generally these 3n equa- 
tions are "formally 1 ' independent, i.e. they generate a vector space of dimension 
3n. However if we give some explicit values for b, b ^ 0, then we will now prove 
that (Gl), (G2) ( (G3) will give only 2n independent equations. 

Proof Let. A = a l + q \ B = a l+<7 * and C = a*'*** . Then : 
(Gl) /? V =6-6^ 

(G2) Ab*" =b- C q " 

(G3) A q * • = iS &r 

and let us assume that 6 is known, and that A, D and C are unknown. Then 
from (Gl), (G2) and (G3) will we be able to find A t R t and C? No, because (G3) 
is just a consequence of (Gl) and (G2): from (Gl) we have A = 6 1 "" 7 * -C q \ and 
from (G2) we have A = . to A* = V? -C**** =bf 

So from (Gl), (G2), (G3) we will have only 2n independent equations in the 3n 
components (of degree 2 in the x,) of A, B, and C. (Moreover this proves that 
if 6 ^ 0, we will always have exactly 2n independant equations in the (~ 3n) 
components of A, B and (7). 

4 Implementations and public key lengths 

The algorithms Dragon and MIIP-3 that we have seen are very efficient. These 
algorithms are fast and can easilly be implemented in yrnartcards with low power 
(without arithmetic coprocessor). Moreover we will see now that the public key 
length can be very moderate for two reasons: 

1. We can have a value n which is not too large (for example n — 32) if wc 
have a value q which is not too small. 

2. Moreover, the public key can be written with polynomials of total degree 
two (instead of three) as we will see now! (Unfortunately this idea will 
help us to attack the schemes as we will see in Part 2). 

Dragon 

In the Dragon algorithms of paragraph 2, the hidden equation is: 

a q '+ q * M(b)^a q<+qi ./V(6). (6) 

For simplicity of the equations let us assume that s and t are linear (if 5 and t 
arc affine the same results will also hold). The public key, computed from this 
equation (6) is a set of n equations like this: 

$^7ijw*j*fcj// = 0. ? = 1.... ,n. 
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Let Pu = ]T fijktzjtk- We have 0(n 2 ) such values P $i . But how many indcpen- 

dant such P;r will we have? In fact at most 2n because in the hidden equations 
(6) we have n components from a q +<? * and n components from a q +9 . So all 
the Pu can be written as a linear expression in only A variables, A < 2n, that 
we will call p\ t . . . ,px- So we see that the public key can always be written 
(without changing the security since this new public key can be computed from 
the original in polynomial complexity) as two sets of equations.: 

Pi : = ^2»ijkT.jXk (t=lloA, A<2n) 

A ti 
j=Ifc=l 

In these new public equations we will have only 0(n 3 ) terms instead of 0(n 4 ) 
terms in the original presentation. 

Note. If a q$ +<? is not a linear transformation of a 9<+ ** then A = 2n with a 
very high probability. It is not clear if A can be ^ n, ~ 2n and < 2n and what 
cryptanalysis can be done if this occur. 

MIIP-3 

Similarly, from the public key of a MIIP-3 algorithm it is always feasable to 
compute all the equations J^Tufc'i^yfc + • • ■ = 0 that are always true when x is 
the encryption of y, and to see that the terms in the y k variables are generated 
by only about 0(n) polynomials of degree two. The fact that we always have 
such polynomials come from the (CI), (G2), (G3) equations. If we denote by 
Pi .... , P\ these polynomials (A = 0(n) and A = 3n very often), then instead of 
the public key we can write (without changing the security) about /i equations 
like this, /i ^ 3n: 

n A 

Y, tiiwy* + Y, + + * = °, i < « < 
fe=i j~\ 

(Most of these equations come from (Gl), (G2), (G3). However sometimes we 
will have n ~ An or /i ~ 5n when we will have more equations than (Gl), (G2), 
(G3). But /* is always such that ~ kn y with k small and k > 3). 

These equations plus the definitions of p\ , . . . ,p\ are the new public key and 
we have about 0(?f 3 ) terms in the new public key instead of 0(n 4 ) terms in the 
original public key. 

Note. The designer of the scheme can choose to make public only a part of 
these equations, for example those coming from (G I). This may make the attack 
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easier (as we will see in Part 2) since he has isolate (Gl) from (G2) and (GS). 
However since anybody can compute the set of all the equations as above it does 
not change de security, from the polynomial complexity point of view, to present 
this set of 0(n 3 ) equation as the new public key. 

PART 2: Cryptanalysis results 

5 Cryptanalysis of extended Matsumoto-Imai Al- 
gorithms with small branches 

In the description of the original Matsumoto-Imai C m algorithm given in [1], after 
the first affine transformation «, the inputs are divided in d branches. We have 
not made such a separation in our description of Dragon and MIIP-3, because 
we have found three very general attacks against small branches. We describe 
these three attacks in the extended version of this paper. These three attacks are 
very instructive and they arc based on three completely different ideas. The first 
one uses some algebraic equations, and the second one is based on differential 
cryptanalysis. 

6 Cryptanalysis of two compositions of C* algo- 
rithms 

A very natural idea, in order to keep a bijectivc cryptosystem with easy secret 
computations is to do the composition of two Matsumoto-Imai Algorithms. 
Of course one problem is that the public polynomials will be of total degreefcur 
(instead of two) but if n is not too big, so if K = W q is not so small (q - 2 , 
with » £ 1), then the length of the public key may still be acceptable. However 
we show in the extended version of this paper a bigger problem: such a scheme 
remains insure. 

We will just give here the idea of the attack. It is to compute all the equation 
of this form; 

E E E w**-*i**+E E <w,+E E fe^+E = °* 

i j k i i ' ' j • ' 

Then we will introduce some "transition" variables p { such that these equa- 
tionscan be written like this: 

E E w w + E + £ * « + ^ = 0 

i j i 

when the y, variables are given, then from these equations we will be able to 
find the p] variables (by Gaussian reduction). Then we will find x from the pj 
variables as in the attack of [2]. 
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7 Cryptanalysis of the little Dragon Algorithm 
Introduction 

In this paragraph we will study the cryptanalysis of the "little Dragon" algo- 
rithm. What we call "little Dragon algorithm" is the algorithm* where instead 
of equation (1) (of paragraph 2.2) the hidden equation is: 

a b = a^^\ (7) 

where 9 and <p are secret integers such that h — q 0 +q* — I is coprime with q n — 1. 
Since there are not a lot of possible values for 9 and <p we can also assume that 
9 and <p are public. 

This algorithm looks very interesting because the public equations computed 
from (7) are only of total degree two. However this algorithm is insecure, as we 
will see now. 

Cryptanalysis of the scheme 

We will assume here that the secret functions s and i are linear (not only affine). 
This probably does not change a lot of things (moreover there the value a = 0 
can very easily be detected so we can clearly assume that s is linear). So the 
public equations comming from (7) is a set of n equations like this: 

^fijkXjVk +^2ltijkXjX k = 0, 1 < t < n. (8) 

Let Si = J^Tijjtarjite, The values £, are public and they represent 

the "hidden" components of a • 6. We denote by 6 — (6\ , . . . , 6 n ). 
The cryptanalysis is in four steps. 

Step 1 We compute the vector space of all the linear transformations C and D 
such that: 

Vz\ \<i<n. (C(<S)) t = £7.W^(y))*. (9) 

M 

This set will by found by Gaussian reductions on the values of the C and D 
matrices. 

We are sure to find a vector space of solutions of dimension at least n since 
we have : 

VA€iv, A(a-6) = fl-(A6). 

So each transformation b >~> Xb gives a couple (G\ D) of matrices solution. 

Moreover I did a small simulation and in this simulation I found a dimension 
exactly n for the set of solutions. For simplicity, let us assume that we have 
exactly such a dimension n of solutions. 

Since the set of solutions found for D depends on n free variables, we can 
call these variables Ai, Ao, . . , A n , and we can denote A = (Ai, . . . , A„), and 
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Da the solution with the parameter A. Wc will also denote by D\{y) the vector 
of components (D A (»i),... ,D A (yn)). 

Step 2 We compute the vector space of all the linear transformations E such 
that : 

D B (A)(y) = />E(»)(A). 

Here again we expect to find a vector space of dimension n (and indeed this is 
what I found in my small simulation). Let Eq be such a solution and let * be 
the operation such that by definition: 

A*y = y*A = D Eo(A) {y). 

Remark If we denote by t the secret affine transformation from 6 to y, then 
there will be an element p € F q n , /* ^ 0, such that: 

A.pi(M-'(A)r'(»)). 

So t and p are not known, but such an operation * has been found. 

Step 3 Let h = 1 + q 9 -h q*, so b - a h t and let h' be the inverse of h mod 
2 n — 1, so a = b h . We can assume that A' is public because there are not a lot 
of possible values for 0 and <p (so the cryptanalyst can try one by one all the 
solutions). 

Let / be the function : f(y) = y h \ where y h denotes y * y • • * * y> h* times. 
(This function / is computed by square and multiply from the operation ♦). Then 
we have: f(y) = t(/i A ' _1 6 v ) = t(/i fc '~ l a) (where 6 denotes t~ l (y) as usual). So 
f(y) = W(x) t where x is the cleartext and W an affine function! So from / it is 
easy to find W by Gaussian reductions on a few cleartext/ciphcrtext couples. 

Step 4 Now that f and W arc found it is easy to decrypt any message since: 
x = W- l (f(y)). 

8 Cryptanalysis of the Dragons of paragraph 2 

Now we will give an algorithm for the cryptanalysis of the Dragon scheme given 
in paragraph 2. 

For simplicity we will assume that M (or N) is bijective and that s and t 
are linear. (This probably does not change much). So we can assume that the 
hidden equation is: 

Since a and 1 are linear we know from paragraph 4 that the public key can be 

n n 

given as a set of about 2n equations like this: pi = ^T^ ^T^ VijkXjXky 1 < 1 < 2n, 
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2n n 



plus a set of,, equations like this: £^{ y *p iWl 1 < • < n. (Prom the public 

... j-\k=l 

key it is always feasable to find these two sets of equations). 

2n n ' 

Let Si = ^2^2djkPjyk. The values 1 < i < n arc public. We denote by 



' - Wi.... ,*n), and by p= (p,,... lP2n ). The cryptanalysis is in four steps. 

Step 1 We compute (by Gaussian reductions) the vector space of all the linear 
transformations C and D such that: 



W. l<«<n, (C(i)),- = f;f} fejk (/?(p)) jBk . 

j=Jk* = l 

C is a n x n matrix and O is a 2n x 2n matrix. 

We are sure to find a vector space of solutions of dimension at least n since 
wc have : 

VA e /v. A(<y + ** - N(b)) = (An' # +^ ) . 6 - (Aa' <+ ^) • ^(6). 

So each transformation (a^*, a* c +«* ) (Aa« # +*\ Aa^+1*) g ives a couple 
(C, Z>) of matrices solution. 

Step 2 Let £> 0 be such a solution, with D 0 ^ 0. Then we will find an invcrtible 
matrix 5 such that D a = S' l jy Q S where 



where Di and D 2 are two n x n matrices. (This is feasable from the matrices 
reduction theory, however I did no simulation. Sec for example [4]). D x will 
come from a«*+«" Aa«* + «* and D 7 will come from a****' m> Aa' <+ ^. 

Step 3 The matrix 5 gives a change of variables on the p, variables: let p\ , . . . , p' n 
be the terms changed by D\ and q[, . . . , v ; be the terms changed by D 2 \ Then" 
the n equations 6{ can be rewritten in ?i equations like this: 

n » n fi 

Step 4 Let 8\ , . . be the terms of (he left side of this equation: 

n n 
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These terms come from a'* +9 * ■ 6. From these terms we will find an operation 
A * y exactly as we did for the little Dragon algorithm. So if a = b h (as in 
paragraph 2 example 2 with u = 0 or as in the (Gl) equation of MIIP-3) then 
we will just compute j/ 1 with this * operation. What about more general cases, 
i.e. when the transformation from 6 to a is more complex than b = a h ? Due 
to the lack of space please see the extended version of this paper. (The idea is 
to find the analogy of b >-+ (N(b)/b) h ' in y with the * operation as the basic 
operation on y). 

9 Cryptanalysis of MIIP-3 

Now wc will give an algorithm for the cryptanalysis of the MIIP-3 algorithm. 
For simplicity we will assume that s and I are linear (this probably docs not 
change a lot of things). Since s and t are linear we know from paragraph 4 that 
the public key can be given as a set of about 3n equations like this (sometimes 

n n 

more): p, = ^ t/ij k ZjX k , 1 < i < 3n t plus a set of about 3n equations like 

3n n 

this: ^2^2^ijkPjVk = 0. 1 < t < 3n. These equations come from 

(CI ) : B V = b C qV , (<72) : A ■ V* = b ■ C*" f (G3) : A*' ■ b q * = b*' - B q * 

where A = a 1+<? *, £ = a 1 ***, and C = a***'' 1 ' . (Sometimes wc have more than 
these 3n equations, but for simplicity we will assume that there are only these 
3n equations and that they give a vector space of dimension 3n). 

3n n 

Let Si = 5^^6j*Pjy*. The values & it I < t < 3n, are public. We denote by 
j=i*=i 

8 = (rfi , . . . , fei) and by p = (pi , . . . , P3»). The cryptanalysis is in three steps. 

Step 1 Wc compute (by Gaussian reductions) the vector space of all the linear 
transformations D and E such that: 

j=k * = i 

E is a 3n x 3n matrix and D is also a 3n x 3n matrix. 

We are sure to find a vector space of solutions of dimension at least u since 
wc have : VA € E q u , if H is changed in A* Z?, C in AC and A in A** 4, then (Gl) 
is changed in A'^Gl), (C2) in A** (6*2) and {G'S) in A*'+« V (G3), 

Step 2 Let E Q be such a solution for E t with £o # 0. Then we will find an 
invertible matrix S such that Eq = S~ 1 E f {) S where 
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0 




0 



0 



V o 



0 



(This is feasable from the matrices reduction theory. See for example [4]). 

Ei comes from (Cl) A«*(G1), E 2 comes from (G2) A^(G2) and E 3 
comes from (G3) A« #+ «*(G3). 

Step 3 From 5 we can isolate the equation (Gl) from the other equations, and 
so attack the scheme as a Dragon scheme as we did in paragraph 8. 

Remark. For MIIF-4 (i.e. with the hidden equation 6 = a 1+ 9 #, +/ a +/ a ) the 
same kind of polynomial attack exists. 

10 Unclear cases 

In all the schemes. Is the cryptanalysis more difficult if the transformations 
s and t are affine (instead of linear)? (Probably not, but 1 did not check). 

For MIIP-3 and C\ In MIIP-3. with the original public form, or in C\ 
what do we do if 2 or 3 of the public polyomials are not given? The scheme will 
still work in signature, and also in encryption if we had redundancy, but may be 
more difficult to attack. (However if only one equation is not given with n — 64 
and K — F2 then from the Birthday paradox we will easilly be able to find this 
equation). 



PART 3: A candidate for 64 bits signatures and 
conclusion 

11 A candidate Dragon algorithm for extremely 
short signatures 

Vae/^, V6e(F q ) 2f \let 



where for all the indices i we have: a it aj, 6 0 € ft, 7i, /?■, k and k' are 
integers, AT, and N- are affine functions of (F q )' ln -> F q * (as usual affine means 



k 



/(a, 6) = 



*, (&) + £ 
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affine over F q ), and where the degree d in the a variable is not too large (for 
example d< 8000). 

Then let o = s(x) and 6 = t(y) where s and t are two secret affine permu- 
tations. In a basis /(a, b) = 0 gives n equations of total degree three (degree 
two in <n and one in bi variables). These n equations will be writen in x $ - and 
yj variables (Step 1) and then a linear and byectivc transformation is done on 
these equations (Step 2). We obtain like this a set (G) of n equations of total 
degree three (degree two in x,- and one in y* variables). (G) is public. / is secret 
(this function is "hidden" by s and t). 

For example q = 2, n = 64, and in / we have all the monomials a 2/ * ,+2T ' and 
all the monomials a 2 *'* with 2"' + 2^' < 8000 and 2^ < 8000, and a, and a< are 
randomly chosen in F q * t and Ni and N( are also randomly chosen. 

Let M be a message to sign. The signature of Af is {x\\R) where R is any 
small integer with no pattern 1000 in its expression in base 2 (for example R = 0). 
x is any 64 bits value such that if we denote y = Hash (/l||1000|| Af ), then (x, y) 
satisfies all then equations of (G). Here Hash is a collision free Hash function 
with 128 bits outputs (for example Hash = MDS) t and || is the concatenation 
function. So anybody can verify a signature (x t R) without any secret. In order 
to compute the signature we will compute b - r l {y), then we will solve in a 
the equation /(a, 6) = 0 (this is always feasable with a complexity polynomial 
in d). If there is no solution, we try with another value R (for example R - 1 
instead of R = 0) until we find a solution a. Then x = s -l (a) is computed. On 
average the length of the signature (R t x) will only be about 64 bits. (Moreover 
we can also give only x as the signature and all the small values of R will be tried 
one by one to check the signature). We avoid the "birthday paradox" since we 
can not publicly compute y from x but just check if x and y match together or 
not. However the time to compute a signature is long so this scheme is not very 
efficient. Its interest lies in the fact that it is the first candidate algorithm with 
64 bits asymmetric signatures (I do not know any previous candidate). The best 
attack that I know against this scheme needs more than 2 50 computations. With 
80 bits signature this attack needs more than 2 64 computations. Moreover after 
these computations, only one signature is found: to compute another signature 
the same huge computations are needed. 

This algorithm is still a Dragon algorithm (since x and y are mixed) but with 
a hidden function instead of a hidden monomial. 

Note 1 These attacks are based on the idea to do exhaustive search on n - k 
variables x,, k small, and to find the k other variables from the public equations. 
I was no able to see somebody who knows if a better attack is known to solve a 
randomly set on n quadratic equations over GF(2) when n ^ 64. I will try to 
have the efficiency of the known algorithms for the conference in August. Maybe 
n = 64 is easy even for random quadratic equations? 

Note 2 For any signature scheme with signatures of length 64 bits that can sign 
messages of arbitrary length, after about 2 32 signatures two messages signed have 
the same signature. However here the collision is obtained between two messages 
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signed by the owner of the secrets, and moreover only after 2 s2 signatures, made 
by himself. So this may not be a problem. 

Note 3 The function / (as in a variation of HFE) can also be more general, 
as long as in a basis /(a, 6) is of small degree in a,- and 6, variables and the 
computation of a such that = 0 is fcasable. For example a multivariate 

resolution algorithm with a few variables (8 equations with 8 variables for ex- 
ample with each variable on 8 bits) will be hidden as an intractable system of 
64 equations with 64 variables a, and 64 variables 6,- by s and t. 

12 Conclusion 

In this paper, we have studied some algorithms based on the idea of a "hidden" 
monomial. The motivation was that these algorithms are very efficient and that 
some of these algorithms were candidate trapdoor one way permutations. Un- 
fortunately we have seen that all the easy transformations of C* can be attacked 
in polynomial complexity. (Some simulations would be require to test the va- 
lidity of the attacks). We have also described a candidate algorithm for 64 bits 
signatures that has so far resisted all attacks. However this algorithm is not very 
efficient and also has no proof of security. So at present, the two algorithms of 
[3] seem to remain the best candidates to try to repair the C* algorithm of [1]. 
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